Thursday, 10 September 2009

Experiment 8 on Understanding File System under Ubuntu

This experiments were my private experiments in order to understand about file systems particularly FAT. Hopefully it could help anyone who would like to explore it.

Introduction :

Computer needs a method to deal with their files in order to arrange and manage them. This method is simply called File System which is useful for computer to manage the files stored in storage media such as magnetic disk, optical disk and solid state disk. Each files are assigned to the sectors allocated for them so that they will not be overwritten by the others as long as they are still not deleted, even if they are deleted, they are still be recovered fully or partially because their sector allocations are still in the record of file system. By file system, a computer can easily open, read and save a file eventhough with the same name but different extension such as document1.doc, document1.odt or document1.txt.

There are many types of file system but only several are famous and often used by people such as FAT16, FAT32 and NTFS for Windows Operating System (OS); ext2, ext3 and swap for Linux OS; and HFS and HFS+ for Mac OS. In this exercise, it will be explored about 'File System' especially FAT.

Description of Experiment :

First of all, I used my flashdisk as an experiment object. It is 1GB with the file system of FAT32. I stored some files with the extensions of .doc, .odt, .pdf, .jpg, .png and .mp3 with the aim of to get different view of various files on how the file system deals with them.

Using the commands :

“fdisk -l” for displaying the partitions attached to the machine, one of them was /dev/sdb1 from my flashdisk, then “mount /dev/sdb1 /media/flashdisk” thereafter “then ls -l”, so it will be displayed some files from experiment flashdisk.

Figure 1

/dev/sdb1 is the experiment flashdisk containing some files

By using the command “dd if=/dev/sdb1 bs=512 count=1 | hexdump -C”, it will print the first 512 bytes of the flashdisk which is the first sector containing Master Boot Record (MBR) holding the primary partition table which tells the OS on how to deal with the flashdisk on its files. This sector is also known as boot sector. This command displays it in hexadecimal in the mid side, ASCII in the right side and byte offset in the left side.

From the figure below, it will be gained the explanation as follows :

The boot sector is started with the hexadecimal code of “eb 58 90” and ended with “55 aa” (which is also known as 'boot signature').

The ASCII characters of “MSDOS5.0” shows that this flashdisk was formatted by using Microsoft DOS version 5.0

The ASCII characters of “FAT32” shows that this flashdisk uses the file system of FAT 32 for its partition table.

The ASCII characters of “NTLDR” which is the abbreviation of “NT Loader' shows that this flahsdisk contains the boot loader from Ms Windows NT OS such as Windows 2000 or XP.

Figure 2

The first 512 bytes of the experiment flashdisk

To gain the understanding on how a file is saved by an application and how the file system search and decide what type application which can open this file, it is noted from the first bytes of the file. Subsequently, each files inside the experiment flashdisk was opened by using the command “hexdump -C | more”. The figures below display a different first bytes for different file extensions, so it will explain that the first bytes of a file is very important to connect the file with the OS, then the OS will search and decide what application which is suitable to open, write or save the file.

Figure 3

MP3 file is started by the hex codes of “ff fb 90 44”

Figure 4

PNG file is started by the hex codes of “89 50 4e 47”

Figure 5

JPG file is started by the hex codes of “ff d8 ff e1”

Figure 6

ODT file is started by the hex codes of “50 4b 03 04”

Figure 7

DOC file is started by the hex codes of “d0 cf 11 e0”

These first bytes is also known as “Magic Numbers”. Interestingly, eventhough the file extension is manipulated, it does not change the first bytes of a file, so the file system still recognise the file.

Secondly, I tried something different and challenging, namely making the experiment flashdisk become bootable flashdisk by using the application of “usb-creator” from https://launchpad.net/ubuntu/intrepid/+source/usb-creator. This application allows the flashdisk to be installed Linux OS, and in this case I installed the “Helix Live CD” based on Ubuntu into the experiment flashdisk. It took approximately 10 minutes. After finishing the installation process, the flashdisk can be used to boot a current computer which provides booting from USB, then it displays the Helix 3 application which is used widely for forensic investigation.

This attempt was conducted with the aim to know whether or not any difference in the boot sector of experiment flashdisk before and after installation. Interestingly, after running the command of “fdisk -l”, it was known that the flashdisk still use the file system of FAT32 although it has been installed the Ubuntu-based Helix 3 from Linux Ubuntu Machine (my laptop using dual booting of Ubuntu and Windows XP) as it is displayed in the figure below.

Figure 8

/dev/sdb1 still uses FAT32 although it has been installed Helix 3 based on Ubuntu

With the same above command of “dd if=/dev/sdb1 bs=512 count=1 | hexdump -C”, it was known that :

The boot sector is still started by the hex codes of “eb 58 90” and ended by “55 aa”.

The ASCII characters of “MSDOS5.0” shows that the flashdisk was formatted by Microsoft DOS version 5.0.

The ASCII characters of “FAT32” shows that the flashdisk uses the file system of FAT 32.

There is an information on the byte offset line of “0x0190” which can not be found in the figure 2 (before installation).

Figure 9

The boot sector of flashdisk which has been installed the Ubuntu-based Helix OS

From the figure above, the detail informations are gained :

The offset “0x00” with the length of 3 bytes of “eb 58 90” in hex shows the Jump Instruction which will be executed by computer toward the operations in the boot sector

The offset “0x0b” with the length of 2 bytes of “00 02” in hex shows the number of bytes per sector which is 512 bytes as a common value.

The offset “0x0d” with the length of 1 byte of “08” in hex shows the number of sectors per cluster. It is 8 sectors per cluster.

The offset “0x0e” with the length of 2 bytes of “26 00” in hex shows the reserved sector count which is the number of sectors before the first FAT in the file system image. It is 38 reserved sectors.

The offset “0x10” with the length of 1 byte of “02” in hex shows the number of file allocation table. It is 2 FATs.

The offset “0x11” with the length of 2 bytes of “00 00” in hex shows the maximum number of root directory entries which is only used in FAT 12 / FAT 16. It is 0 for FAT 32.

The offset “0x13” with the length of 2 bytes of “00 00” in hex shows the total sectors. Because it is 0, so it uses the 4 bytes of “e0 8f 1f 00” in hex on the offset of “0x20”. it is 14,716,703 sectors.

The offset “0x15” with the length of 1 byte of “f8” in hex shows the media descriptor. It is grouped into harddisk with single sided.

The offset “0x16” with the length of 2 bytes of “00 00” in hex shows the number of sectors per FAT for FAT 12 / FAT 16 only.

The offset “0x18” with the length of 2 bytes of “3f 00” in hex shows the number of sectors per track. It is 63 sectors.

The offset “0x1a” with the length of 2 bytes of “ff 00” in hex shows the number of heads. It is 255 heads.

The offset “0x1c” with the length of 4 bytes of “20 00 00 00” in hex show the number of hidden sectors. It is 32 sectors.

The offset “0x24” with the length of 4 bytes of “e1 07 00 00” in hex shows the number of sectors per file allocation table. It is 57,607 sectors.

The offset “0x2c” with the length of 4 bytes of “02 00 00 00” in hex shows the cluster number of root directory start. It is 2 clusters.

The offset “0x30” with the length of 2 bytes of “01 00” in hex shows the sector number of FS information sector. It is 1 sector.

The offset “0x32” with the length of 2 bytes of “06 00” in hex shows the sector number of a copy of this boot sector. It is 6 sectors.

The offset “0x34” with the length of 12 bytes is used for reserved

The offset “0x42” with the length of 1 byte of “29” in hex shows the extended boot signature.

The offset “0x43” with the length of 4 bytes of “a8 a6 ed fc” in hex shows the ID (serial number).

The offset “0x47” with the length of 11 bytes shows the volume label. It is “NO NAME” in ASCII.

The offset “0x52” with the length of 8 bytes shows the FAT file system type. It is “FAT32” in ASCII.

The offset “0x5a” with the length of 420 bytes is used for operating system boot code.

The offset “0x1fe” with the length of 2 bytes of “55 aa” in hex shows the boot sector signature.

The similarity between picture no. 2 (the boot sector of flashdisk before installation of Ubuntu-based Helix 3) and picture no. 9 (after installation) is on the offset from “0x00” to “0x59”. The first 36 bytes are used for all versions of FAT, then followed by 54 bytes which are used specifically by FAT 32 which is different from FAT 12 / FAT 16.

The difference between both pictures is on the offset from “0x5a” to “0x1fd” which are used for operating system boot code.

In the figure 2 above :

The offset from “0x170” to “0x17a” containing NTLDR shows that the boot sector uses FAT which was created under Windows 2000 or Windows XP.

There are data bytes of “ac cb d8” in hex on the offset “0x1f9 0x1fa 0x1fb”. The hex data code of “ac” refers to the offset “0x1ac” for the error message of “Remove disks or other media”, the “cb” apppoints to the offset “0x1cb” for the error message of “Disk error” and the “d8” assigns to the offset “0x1d8” for the error message of “Press any key to restart”.

Conclusion :

The similarity between MBR in the experiment flashdisk before installation of Ubuntu-based Helix 3 and MBR after installation is on the offset from “0x00” to “0x59” which are used for FAT descriptions. On the other hand, their difference is on the offset from “0x5a” to “0x1fd” which are used for operating system boot code.

The data bytes of “ac cb d8” in hex on the offset “0x1f9 0x1fa 0x1fb” in the experiment flashdisk before the installation of Ubuntu-based Helix 3 refer to the error messages of “Remove disks or other media”, “Disk error” and “Press any key to restart”.

The experiment flashdisk uses the file system of FAT32 which is located in the first 512 bytes (also known as 'boot sector') of the flashdisk containing Master Boot Record (MBR) with the descriptions as follows :

The first 36 bytes from the offset “0x00” to “0x23” are used for FAT descriptor which sets up for all versions of FAT. In my terminology, I call it is General Characteristics of FAT.

The 54 bytes from the offset “0x24” to “0x59” following after the first 36 bytes are used specifically by FAT 32 or FAT 12 / FAT 16 for parameter block which are different each other. In my terminology, I call it is Class Characteristics of FAT.

The 420 bytes from the offset “0x5a” to “0x1fd” are used for operating system boot code.

The last 2 byte on the offset “0x1fe” and “0x1ff” are known as the 'boot sector signature' which are “55 aa” in hex code.

About Me

I have been working for Indonesian Police Forensic Laboratory Centre (Puslabfor Bareskrim Polri) since 1997. My current job is the Chief of Computer Forensic Sub-Department. I have core duties to handle digital forensic investigation and analysis on electronic and digital evidence. I am the pioneer of developing computer forensic capabilities at Puslabfor Bareskrim Polri which was started in around 2000. Last year, in 2012 I and my team successfully investigated and analyzed 488 items of evidence which came from 81 cases of computer crime and computer-related crime.
In 2012 I wrote a book with the title "Digital Forensic: Practical Guidelines for Forensic Investigation". Its contents is mostly from knowledge and science I got from joining the MSc in Forensic Informatics at the University of Strathclyde, in the UK in 2008/2009 through the Chevening Scholarships. In 2010, the British Council in Indonesia gave me a prestigious award as one of "The Super Six UK Alumni".